Japan's Information-technology Promotion Agency (IPA) announced the start of Japan's new cyber-security labelling system JC-STAR. The system is Japan's response to increasing cyber-attacks on the country's digital infrastructure and designed to increase its safety.

Outline
The JC-STAR system aims to evaluate and visualize the security features incorporated in IoT products using a common standard. By allowing government agencies, private companies, and general consumers—purchasers and procurers of IoT products—to verify this system's label, it facilitates the easy selection of products that meet desired security levels.

Scope:
The system covers a wide range of IoT products equipped with communication functions using internet protocols, including those not directly connected to the internet. However, devices such as personal computers and smartphones are excluded from its scope.

Standards:
It establishes criteria to address common minimum threats (★1) and standards tailored to the characteristics of specific IoT product types (★2, ★3, ★4). It is a voluntary system employing multiple conformity assessment levels to align with required security levels.

Labeling
To promote widespread use, labels based on ★1 and ★2 are issued by IPA (Information-technology Promotion Agency) via self-declaration of conformity. For ★3 and ★4, which are intended for procurement by government agencies and critical infrastructure operators requiring high reliability, labels are issued following third-party certification by an independent evaluator.

IoT Product Labeling
IoT products that obtain the label can display the "Conformity Label" on their products or packaging. The label includes a QR code managed by IPA, embedding the URL for a dedicated product information page.

Validity and Fees
The ★1 conformity label is valid for up to two years. The application fee for ★1, for applications received by September 30, 2025, is ¥110,000 (tax included). *The regular fee is ¥198,000 (tax included).*

Impact on Government Procurement

METI plans to start discussions this year to require labelling for IoT products (Network camera's and communication devices) (>★2) for government procurement contracts. Applications in these products areas are scheduled to start in January 2026. To reduce the burden of conformity assessments efforts are underway to establish a cooperative system aligned with the regulations of other countries. Specifically, negotiations with foreign authorities are ongoing to achieve mutual recognition with systems such as the EU's Cyber Resilience Act.

Source: https://www.ipa.go.jp/pressrelease/2024/press20250325.html